2490184d336357af2480d093a42478fe41240b1bf59606e968ad1fbf45f8114c

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/01/2024, 05:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73e85ca2be0c780510f17b4d7620d802.exe
Size

753KB
MD5

73e85ca2be0c780510f17b4d7620d802
SHA1

eeb71556aef088a6881a62823a6a84e99c2b1105
SHA256

2490184d336357af2480d093a42478fe41240b1bf59606e968ad1fbf45f8114c
SHA512

1bfc7150809ad3b43c97deedb038964278c4428e9157056b4597f6af5693de672876ccfc5bb41476f9fac4de34ca7a6057f14b8bc02feeb29f4e2b5b4507a9b5
SSDEEP

12288:0gqOgRUbKNg++JTk6+QmgsxeVDpjMeP9vYtHqcNqPI9n2hTRKfNufc8vy4hp:0gqdRUWNmTk65Z9jytHqIqQ9n4lKlL8h

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2820	beddjafdca.exe

Loads dropped DLL 11 IoCs

pid	Process
2524	73e85ca2be0c780510f17b4d7620d802.exe
2524	73e85ca2be0c780510f17b4d7620d802.exe
2524	73e85ca2be0c780510f17b4d7620d802.exe
2524	73e85ca2be0c780510f17b4d7620d802.exe
1208	WerFault.exe
1208	WerFault.exe
1208	WerFault.exe
1208	WerFault.exe
1208	WerFault.exe
1208	WerFault.exe
1208	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1208	2820	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2768	wmic.exe
Token: SeSecurityPrivilege	2768	wmic.exe
Token: SeTakeOwnershipPrivilege	2768	wmic.exe
Token: SeLoadDriverPrivilege	2768	wmic.exe
Token: SeSystemProfilePrivilege	2768	wmic.exe
Token: SeSystemtimePrivilege	2768	wmic.exe
Token: SeProfSingleProcessPrivilege	2768	wmic.exe
Token: SeIncBasePriorityPrivilege	2768	wmic.exe
Token: SeCreatePagefilePrivilege	2768	wmic.exe
Token: SeBackupPrivilege	2768	wmic.exe
Token: SeRestorePrivilege	2768	wmic.exe
Token: SeShutdownPrivilege	2768	wmic.exe
Token: SeDebugPrivilege	2768	wmic.exe
Token: SeSystemEnvironmentPrivilege	2768	wmic.exe
Token: SeRemoteShutdownPrivilege	2768	wmic.exe
Token: SeUndockPrivilege	2768	wmic.exe
Token: SeManageVolumePrivilege	2768	wmic.exe
Token: 33	2768	wmic.exe
Token: 34	2768	wmic.exe
Token: 35	2768	wmic.exe
Token: SeIncreaseQuotaPrivilege	2768	wmic.exe
Token: SeSecurityPrivilege	2768	wmic.exe
Token: SeTakeOwnershipPrivilege	2768	wmic.exe
Token: SeLoadDriverPrivilege	2768	wmic.exe
Token: SeSystemProfilePrivilege	2768	wmic.exe
Token: SeSystemtimePrivilege	2768	wmic.exe
Token: SeProfSingleProcessPrivilege	2768	wmic.exe
Token: SeIncBasePriorityPrivilege	2768	wmic.exe
Token: SeCreatePagefilePrivilege	2768	wmic.exe
Token: SeBackupPrivilege	2768	wmic.exe
Token: SeRestorePrivilege	2768	wmic.exe
Token: SeShutdownPrivilege	2768	wmic.exe
Token: SeDebugPrivilege	2768	wmic.exe
Token: SeSystemEnvironmentPrivilege	2768	wmic.exe
Token: SeRemoteShutdownPrivilege	2768	wmic.exe
Token: SeUndockPrivilege	2768	wmic.exe
Token: SeManageVolumePrivilege	2768	wmic.exe
Token: 33	2768	wmic.exe
Token: 34	2768	wmic.exe
Token: 35	2768	wmic.exe
Token: SeIncreaseQuotaPrivilege	2864	wmic.exe
Token: SeSecurityPrivilege	2864	wmic.exe
Token: SeTakeOwnershipPrivilege	2864	wmic.exe
Token: SeLoadDriverPrivilege	2864	wmic.exe
Token: SeSystemProfilePrivilege	2864	wmic.exe
Token: SeSystemtimePrivilege	2864	wmic.exe
Token: SeProfSingleProcessPrivilege	2864	wmic.exe
Token: SeIncBasePriorityPrivilege	2864	wmic.exe
Token: SeCreatePagefilePrivilege	2864	wmic.exe
Token: SeBackupPrivilege	2864	wmic.exe
Token: SeRestorePrivilege	2864	wmic.exe
Token: SeShutdownPrivilege	2864	wmic.exe
Token: SeDebugPrivilege	2864	wmic.exe
Token: SeSystemEnvironmentPrivilege	2864	wmic.exe
Token: SeRemoteShutdownPrivilege	2864	wmic.exe
Token: SeUndockPrivilege	2864	wmic.exe
Token: SeManageVolumePrivilege	2864	wmic.exe
Token: 33	2864	wmic.exe
Token: 34	2864	wmic.exe
Token: 35	2864	wmic.exe
Token: SeIncreaseQuotaPrivilege	2864	wmic.exe
Token: SeSecurityPrivilege	2864	wmic.exe
Token: SeTakeOwnershipPrivilege	2864	wmic.exe
Token: SeLoadDriverPrivilege	2864	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2820	2524	73e85ca2be0c780510f17b4d7620d802.exe	28
PID 2524 wrote to memory of 2820	2524	73e85ca2be0c780510f17b4d7620d802.exe	28
PID 2524 wrote to memory of 2820	2524	73e85ca2be0c780510f17b4d7620d802.exe	28
PID 2524 wrote to memory of 2820	2524	73e85ca2be0c780510f17b4d7620d802.exe	28
PID 2820 wrote to memory of 2768	2820	beddjafdca.exe	29
PID 2820 wrote to memory of 2768	2820	beddjafdca.exe	29
PID 2820 wrote to memory of 2768	2820	beddjafdca.exe	29
PID 2820 wrote to memory of 2768	2820	beddjafdca.exe	29
PID 2820 wrote to memory of 2864	2820	beddjafdca.exe	32
PID 2820 wrote to memory of 2864	2820	beddjafdca.exe	32
PID 2820 wrote to memory of 2864	2820	beddjafdca.exe	32
PID 2820 wrote to memory of 2864	2820	beddjafdca.exe	32
PID 2820 wrote to memory of 2624	2820	beddjafdca.exe	34
PID 2820 wrote to memory of 2624	2820	beddjafdca.exe	34
PID 2820 wrote to memory of 2624	2820	beddjafdca.exe	34
PID 2820 wrote to memory of 2624	2820	beddjafdca.exe	34
PID 2820 wrote to memory of 2344	2820	beddjafdca.exe	37
PID 2820 wrote to memory of 2344	2820	beddjafdca.exe	37
PID 2820 wrote to memory of 2344	2820	beddjafdca.exe	37
PID 2820 wrote to memory of 2344	2820	beddjafdca.exe	37
PID 2820 wrote to memory of 2012	2820	beddjafdca.exe	38
PID 2820 wrote to memory of 2012	2820	beddjafdca.exe	38
PID 2820 wrote to memory of 2012	2820	beddjafdca.exe	38
PID 2820 wrote to memory of 2012	2820	beddjafdca.exe	38
PID 2820 wrote to memory of 1208	2820	beddjafdca.exe	40
PID 2820 wrote to memory of 1208	2820	beddjafdca.exe	40
PID 2820 wrote to memory of 1208	2820	beddjafdca.exe	40
PID 2820 wrote to memory of 1208	2820	beddjafdca.exe	40

C:\Users\Admin\AppData\Local\Temp\73e85ca2be0c780510f17b4d7620d802.exe
"C:\Users\Admin\AppData\Local\Temp\73e85ca2be0c780510f17b4d7620d802.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Users\Admin\AppData\Local\Temp\beddjafdca.exe
  C:\Users\Admin\AppData\Local\Temp\beddjafdca.exe 2!0!8!1!3!3!8!9!3!2!9 LVBBQzouMSozMRctU01BTUY8NC0eJkxFTFZMT0NAQTsoIzIob29sXGxgcmVfbV08T2JhZF5lXB4vPEhQUUE7OjAuNTEqHyxAQTs6LhctUEpOQVI7S1xHOzsyLjgxMBgmUENJVEVKXlJPRDRlcmtuOicucG9uJUFDSkktTE5NKjlHTSxATEZHHyxAREBASUBCPRguQS41JC4eJkIyNSwuHSc7MDskLyAnQzE6JSgdLTszPSUwHSxISUxCTEFUV09PRk44QFc0Hi9IUUxBTTpRXTxTTDk8HSxISUxCTEFUV00+Sj00HS08VkVXVE9JNRcsQ09DXztMQUlBRUI7Fy1IR1JRXDpJTFVKQ1I1NB0sTD8+TEJXT01eUk9ENB0tTUs9Kh8sQUsoOh4mUFVGU0ZKPVZUQ0NBT0VERko5PkJTSUo9GC5GUFdJUkxLR009PHFvbVwdLUlDVE1RS0ZGPlxTSkNSV0M+Vks0Lx4mRkk8RFU6KRcsR0pdRFFNPkpBOlxDRUFSUU9RQjw0Y19jcWUYLkFMT0VJTThCX0FPOi4oKisxLiwyKDArNTEXLFJAS0U1MDEwKzAuMyozNhguQUxPRUlNOEJfTEhKQjUtLC8nLTIoMDInLTExNzEvNiJASg==
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81706162245.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2768
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81706162245.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2864
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81706162245.txt bios get version
    3⤵
    PID:2624
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81706162245.txt bios get version
    3⤵
    PID:2344
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81706162245.txt bios get version
    3⤵
    PID:2012
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 372
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81706162245.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\81706162245.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\81706162245.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\beddjafdca.exe

Filesize
501KB

MD5
e69110b1e155bf60a629eddf2f9f8ec6

SHA1
e994e2c81b9cc557ab5f8685cd001fe61d1dcbd7

SHA256
243d708a170a11d958c3b2e422118e31b0277453ba6841e8c71025b544cda100

SHA512
c96f943ceec602f60944e3b1ef1b639ec91b64f43b5e59804286e6e60bf7d801d512a080cbafe2f91e8dd0e8ed8dd31f0e426c970264b30cd05bcbdb3ee6c0eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\beddjafdca.exe

Filesize
529KB

MD5
7012ae2168adb6f2f9d23ebb02433018

SHA1
c862eb043886eb6dc130c874980001eb379958c0

SHA256
473901778c51b5987e22767969249e938aa64c816cde84ec86ec2f9d97df6390

SHA512
b4470636509ac121f38ba995bad6cea13d28c17cdeabdfdce4c678ada7176b1a4db5720d6863cde1d55c2bbc297fe59d4e16b3f170d57c8918fdd45797605c5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd3802.tmp\jkmxtii.dll

Filesize
158KB

MD5
b494208d857adf16f64eee4887720973

SHA1
e254c004a55d3dc5f3e928aa85f29c829f1b210c

SHA256
da43bf45c498988d7658d66967d45bfc37f522e4a79b05b7c63cf6caafb3b916

SHA512
737b21bccbdbe8fde3a7d79d28bc3d1895a0025fb8747b72e50142b65acfa69515c68c6d03bb5409a684f159e35b9700d7fc1f916a5d6cbae3ca8cb67855f273

Download Submit
\Users\Admin\AppData\Local\Temp\beddjafdca.exe

Filesize
818KB

MD5
7d424ec9f62a8a01a924a8fe80fed8b2

SHA1
44521a49d124f23abe681ab48338886ce711ea53

SHA256
5349d54d404d1567e60f512977da254f82f57452f7c9b66bbd6759dc3a7c1c9c

SHA512
7043abb7e193acf2c1572fc1528fac8575364448c88228a3335a66d653160d508d8c0e44e6d91d0faa3a1dffeb63d5fed82dfad5305e4e61af220020df92098e

Download Submit
\Users\Admin\AppData\Local\Temp\beddjafdca.exe

Filesize
586KB

MD5
8929bbad38a561e742db157d9f7d12c3

SHA1
3c237c9b8e7d29df84766020b4cd60d3ad6f0103

SHA256
6b66443d01ae8082347fb02b23edba1ad59534c6680194fe67618f258e7e04b2

SHA512
25e4fbbebe126b1f52d9f05584481e9728ac970245204f0eeface4ce4c82ff9c4c2289f62283f70b8d074564277f559ed44c77e175c781bb32abed03a9a7cc6b

Download Submit
\Users\Admin\AppData\Local\Temp\beddjafdca.exe

Filesize
1.1MB

MD5
9b484eba6a5db043766283d81f055d93

SHA1
7e1651d58c02b4be6f68f4834ba5ecd8a9555447

SHA256
a9e76fb876ace32077b6e70dd2ea93fa0d76a6c4860d41e46c7356779c622cd5

SHA512
4aadddb19c162d0e89b6d0506916ff52d2306cdb2590739a2dd683c0a923a5281000bb9bf198805aa8dfcfabadb8eef5bc9f39beb3b93c1b19c6e6d1d8640c22

Download Submit
\Users\Admin\AppData\Local\Temp\beddjafdca.exe

Filesize
1.1MB

MD5
2058d1a47f43fc10fd87f4c1a391aaab

SHA1
55e3ca7cf4724f06563c1a3e1ac29001bae16deb

SHA256
4a7b529bbd14eae59552a9198e3df6584d723b9650e1e3c2a0d3b888597b2a1a

SHA512
ad0d5ce1b465c49667b14e0bbd849ad17e429559124b61949d03c064d61247cfc97cf4c2b741bfb473f194a78c23bbd7f06d0d926182c66078c1887e1dd08fe2

Download Submit
\Users\Admin\AppData\Local\Temp\beddjafdca.exe

Filesize
1.2MB

MD5
828db2e194dd94681679ba8a6190afaf

SHA1
9df6ad9f15c66fd16447d31fdf702cdf357bacb5

SHA256
9f132fbf56015410106863b116c983c230b50f9edeb5c7ab02d99c3e8ea4e7b3

SHA512
842517ba3622b44ed22413254ab634c0392e4f307f871135ac9148801c589e686e449009535350c5c622988c4bae4d1fbd356cff76388d3212f4f1e9a31f32ff

Download Submit
\Users\Admin\AppData\Local\Temp\nsd3802.tmp\ZipDLL.dll

Filesize
163KB

MD5
2dc35ddcabcb2b24919b9afae4ec3091

SHA1
9eeed33c3abc656353a7ebd1c66af38cccadd939

SHA256
6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1

SHA512
0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

Download Submit